Solved: KV_MODE=xml not working but xmlkv is

willcwhite · ‎04-07-2020

I have an app on a deployment server that takes in XML data, this app includes a props.conf with KV_MODE=xml.
When I see the data in Splunk, no XML fields are being extracted, but when I add | xmlkv to the end of my query, it extracts all XML fields. Since KV_MODE is for search time extractions does that mean that I have to also put this props.conf on the SHC? Or is there another reason why it's not working?

Thanks in advance.

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

KV_MODE=xml not working but xmlkv is

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

KV_MODE=xml not working but xmlkv is

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...